NORTHWELL HEALTH SYSTEM, INC.
Organized Health Care Arrangement
NOTICE OF PRIVACY PRACTICES
Effective Date: April 14, 2003
Revised: January 2004
Revised: October 2005
Revised: August 2007
Revised: September 2007
Revised: July 2009
Revised: July 2010
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The Northwell Health System, Inc. (the "System") and each of its owned or sponsored Article 28 not-for-profit corporations (each a "Provider") are required by law to protect the privacy of health information that may reveal your identity ("Protected Health Information" or "PHI"), and to provide you with a copy of this Notice, which describes the health information privacy practices of the Provider (including its medical staff, employees, trainees, students, and volunteers).
When the Provider uses or discloses PHI it is required to abide by this Notice (or amended Notice in effect at the time of the use or disclosure of PHI).
You may obtain additional copies of this Notice by accessing the Northwell Health System's website at Northshorelij.com, calling the System's Corporate Privacy Officer at (516) 465-8097 or asking the registrar/receptionist for one at the time of your next visit.
This Notice of our privacy practices explains:
- How we may use and disclose your health information in the course of providing treatment and services to you.
- What rights you have with respect to your health information. These include the right:
- To inspect and obtain a copy of your health information.
- To request that we amend health information in our records.
- To receive an accounting of certain disclosures we have made of your health information.
- To request that we restrict the use and disclosure of your health information.
- To request how and where we contact you about medical matters.
- To receive a paper copy of this Notice.
- How to file a complaint if you believe your privacy rights have been violated.
If you have questions about this document or any other questions regarding the privacy of your medical information, please call the Northwell Health System, Inc. Office of Corporate Compliance at 516-465-8097.
The System and its Providers comprise an Organized Health Care Arrangement ("OHCA") and will share your health information with each other, as necessary, to carry out treatment, payment, or health care operations relating to the OHCA. The OHCA consists of the following health care entities:
- Advanced Heart Physicians & Surgeons Network, P.C.
- Advanced Imaging and Radiology at Lenox Hill Hospital, P.C.
- CHAPS Community Health Center
- Emergency Medicine Service of Staten Island, P.C.
- Forest Hills Hospital
- Franklin Hospital
- Glen Cove Hospital
- Goethals Radiology
- Hospice Care Network, Inc.
- Huntington Hospital - Dolan Family Health Center, Inc.
- Huntington Hospital Association/Huntington Hospital
- Lenox Hill Cardiology Associates, P.C.
- Lenox Hill Emergency Medical Services, P.C.
- Lenox Hill Healthcare Network
- Lenox Hill Hospital
- Lenox Hill Interventional Cardiac and Vascular Services, P.C.
- Lenox Hill Pathology, P.C.
- Lenox Hill Physician Hospital Organization, Inc.
- Lenox Otolaryngology, Head & Neck Surgery, P.C.
- LHH Corporation
- LIJ at Home Pharmacy, Inc.
- LIJ Enterprises, Inc.
- Long Island Jewish Medical Center
- Long Island Jewish Medical Center - Long Island Jewish CHHA (Certified Home Health Agency)
- Manhattan Eye Ear and Throat Institute
- Manhattan Minimally Invasive and Bariatric Surgery, P.C.
- Multispecialty Physicians of Staten Island, P.C.
- North Shore Cardiovascular & Thoracic Surgical, P.C.
- North Shore Comprehensive Women's Health Services, P.C.
- North Shore Family Medicine, P.C.
- North Shore Home Care
- North Shore Imaging Associates, P.C.
- Northwell Health Medical Care P.C.
- Nortwell Health Home Care Network
- North Shore Ophthalmology, P.C.
- North Shore Pediatric Associates, P.C.
- North Shore Radiology at Glen Cove, P.C.
- North Shore Regional Health Services Corp
- North Shore Surgical & Musculoskelectal Services, P.C.
- North Shore University Hospital
- North Shore University Hospital Stern Family Center for Extended Care and Rehabilitation
- Northwell Health Network, Inc.
- Northwell Health Radiology Services, P.C.
- Northwell Health Care, Inc.
- Northwell Health System Laboratories
- Northwell Health System, Inc.
- Northwell Health Medical Care Centers, Inc.
- Northwell Health Medical Care, P.L.L.C.
- Oakdale Medical Services, P.C.
- Oakdale Medical Services, P.C./Oakdale Medical Center
- Ocean Breeze Infusion Care, Inc.
- Orzac Center for Extended Care and Rehabilitation
- Park Lenox Emergency Medicine, P.C.
- Park Lenox Medical, P.C.
- Park Lenox OBGYN, P.C.
- Park Lenox Orthopedics, P.C.
- Park Lenox Pediatric, P.C.
- Park Lenox Surgical, P.C.
- Physicians of University Hospital, P.C.
- Plainview Hospital
- Queens Pediatric Associates, P.C.
- RegionCare Nursing Agency
- RegionCare Pharmacy
- RegionCare, Inc.
- S.I. Medical Home Visits, P.C.
- S.I.U.H. Systems, Inc.
- SIUH Hospice
- Southside Hospital
- Sports Physical Therapy Occupational Therapy and Rehabilitation Services of North Shore, P.L.L.C.
- Staten Island Hospitalists, P.C.
- Staten Island Imaging Corp
- Staten Island Medical Intensivist, P.C.
- Staten Island Neonatology, P.C.
- Staten Island University Hospital
- Staten Island University Hospital Perinatology, P.C.
- Staten Island University Hospital Systems, Inc.
- Steven and Alexandra Cohen Children's Medical Center of NY
- Syosset Hospital
- The Elmezzi Graduate School of Molecular Medicine
- The Feinstein Institute For Medical Research
- The Heart Institute
- Transistions of Long Island, Inc.
- United Medical Surgical, P.C.
- University Physicians Oncology/Hematology Group, P.C.
- Verrazano Radiology, P.C.
- VivoHealth, Inc.
- Zucker Hillside Hospital
WHO WILL FOLLOW THIS NOTICE?
The Provider provides health care to patients jointly with physicians and other health care professionals and organizations. The privacy practices described in this notice will be followed by:
- Any health care professional who treats you as an inpatient or outpatient in any of the Provider facilities;
- All employees, medical staff, trainees, students or volunteers at any of the Provider locations;
- All employees, medical staff, trainees, students or volunteers in the practice offices of physicians and other healthcare practitioners employed by the Provider. Faculty Practice Offices, or other facilities that are part of the OHCA System's performing treatment, payment or health care operations; and
- Any Business Associates or entity who works on behalf of the Provider.
PROTECTED HEALTH INFORMATION OR PHI
The Provider is committed to protecting the privacy of information gathered about you while providing health-related services. This includes any information that may identify you in connection with your health care. Some examples of PHI are:
- information about your health condition (such as medical conditions and test results you may have);
- information about health care services you have received or may receive in the future (such as a surgical procedure);
- information about your health care benefits under an insurance plan (such as whether a prescription is covered);
- geographic information (such as where you live or work);
- demographic information (such as your race, gender, ethnicity, or marital status);
- unique numbers that may identify you (such as your social security number, your phone number, or your driver's license number);
- biometric identifiers, such as fingerprints; and
- full-face photographs.
USE AND DISCLOSURE OF YOUR HEALTH
Treatment, Payment And Health Care Operations
The Provider and its medical staff, other health care professionals and professional trainees may use your PHI or share it with others to the extent that such information is necessary in order to treat your medical condition, obtain payment for that treatment, and carry out the Provider's normal health care operations. Your PHI may also be shared with affiliated Providers and other health care providers so that they may jointly perform certain treatment, payment activities and health care operations along with the Provider. It is the Provider's practice to request your written consent for disclosures to insurance companies that are responsible for your Provider bill and post-discharge health care providers. Subject to certain exceptions, access, use or disdosure of your PHI will be limited to a "Limited Data Set" or, if necessary, the minimum amount of information necessary to accomplish the purpose of a particular use, disdosure or request within the scope of an individual's employment. The minimum necessary standard does not apply in certain circumstances, such as a disclosure for treatment purposes or to you, the patient. Below are further examples of how your information may be used without your specific authorization.
Treatment. The Provider may share your PHI with caregivers at the Provider who are involved in your care, and they may in turn use that information or share it with others outside the Provider in order to diagnose or treat you. In addition, with your consent the Provider may share your PHI with health care practitioners or facilities that need to know with respect to your treatment outside of the Provider. The Provider also may contact you to provide you with appointment reminders or information about treatment alternatives or other health care related benefits or services, which may be of interest to you. While the Provider will take reasonable steps to safeguard the privacy of your PHI, certain disclosures of your PHI may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your PHI. For example, during the course of a treatment session other patients in the treatment area may see or overhear discussion of your PHI. These "incidental disclosure" are permissible.
Communication Barriers. The Provider may use and disclose your health information if it is unable to obtain your consent because of substantial communication barriers, and believes you would want the Provider to treat you if it could communicate with you.
Payment. The Provider may use your PHI or share it with others so that it can obtain payment for health care services the Provider provides to you. For example, the Provider may share information about you with your health insurance company in order to obtain reimbursement after you have been treated. The Provider might also need to inform your health insurance company about your health condition in order to obtain pre-approval for your treatment, such as admission to the Provider for a particular type of surgery. In addition, the Provider may share your PHI with other health care providers so that they can obtain payment for services they provide to you.
Health Care Operations. The Provider may use or disclose your PHI in order to conduct its health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that the Provider delivers to you. For example, the Provider may use your PHI to evaluate the quality and competence of its physicians, nurses and other health care workers. The Provider may also use your PHI to educate students and trainees in health related professions. Other examples of health care operations include legal, accounting and transcription services which may be performed through contracts with outside organizations designated as Business Associates. All such contracts will include provisions that the Business Associate also protects the privacy of your PHI. In addition, the Provider may share your health information with other health care providers who have provided services to you in order for them to conduct certain business activities such as activities designed to improve the quality of care or reduce health care costs, to conduct clinical training programs, and to evaluate the experience and performance of its medical staff.
Fundraising. The Provider may use demographic information, for example, your name, where you live or work, and the dates that you received treatment, in order to contact you to raise money to support the operations of the Provider. The Provider also may share this information with a charitable foundation that may contact you to raise money on the Provider's behalf. You will be given an opportunity to elect not to receive further fundraising communications. If you elect not to receive further fundraising communications, your revocation will be treated as a revocation of any prior authorization to receive fundraising communication. If you do not want to be contacted for these fundraising efforts, please contact the Director of Development as follows:
Director of Development
Northwell Health System Foundation
125 Community Drive, Great Neck, New York 11021.
We may include certain limited information about you in the Facility directory while you are a patient at the Facility so your family, friends and clergy can visit you in the Facility and generally know how you are doing. This information may include your name, location in the Facility, your general condition (e.g., undetermined, fair, good, etc.) and your religious affiliation. The information in the directory, except for your religious affiliation, may be released to people who ask for you by name. This information, including your religious affiliation, may be given to a member of the clergy, such as a priest or rabbi, even if they do not ask for you by name. Upon admission you will be given an opportunity to limit or withhold information about you in the Facility Directory.
Family and Friends Involved in Your Care
The Provider may disclose your PHI to a family member, personal friend or any other person identified by you provided that you are present for, or otherwise available prior to the disclosure, you have the capacity to make your own health care decisions, you have been given an opportunity to object to the disclosure and have not done so. If you are not present, you are incapacitated, or in an emergency circumstance, we may exercise our professional judgment to determine whether a disclosure is in your best interests, provided that we only disclose information that is directly relevant to the person's involvement with your health care or payment related to your health care. We may also disclose PHI to disaster relief organization in order to notify (or assist in notifying) such family members or friends of your location, general condition or death. Information may also be shared with a legally authorized Personal Representative, such as the parent or guardian of a minor, a health care agent, DNR surrogate, or court appointed guardian with health care decision making authority. However, portions of the medical record relating to sexual activity, sexual conduct, tests for sexually transmitted diseases, contraception, family planning, abortion or mental health services may not be accessible to the parent or guardian of a minor unless specific written authorization from the minor patient is received, except as otherwise provided in this Notice. Moreover, the Provider will not share PHI with third parties, including parents or legally appointed guardians of children or adults if the attending physician determines that access to the information requested would pose a serious risk to the mental or physical well-being of the patient or third party, or be detrimental to the relationship between the parents or guardians and the patient.
As Permitted or Required by Law
The Provider may use your PHI and share it with others, as required by law. For example, the Provider will disclose information if required to do so pursuant to a court order. In addition the Provider may use or share PHI concerning mental health services patients as noted below:
Pursuant to a Court Order. The Provider may disclose your PHI pursuant to an order of a court of record requiring disclosure upon a finding by the court that the interest of justice significantly outweighs the need for confidentiality.
Mental Hygiene Legal Service. The Provider may disclose your PHI to the mental hygiene legal service if they are acting as your personal representative.
Involuntary Hospitalization Proceedings. The Provider may disclose your PHI to the attorney(s) who may represent you in any involuntary hospitalization proceeding if the attorney has made a good faith attempt to provide you with a written notice that explains the proceeding and gives you the opportunity to object to the proceeding.
Medical Review Board of the State Commission of Correction. The Provider may disclose your PHI to the medical review board of the New York State Commission of Correction when the board has requested such information in the event of your death.
Endangered Individuals and Law Enforcement Agencies. If your treating psychiatrist or psychologist has determined that you may present a serious and imminent danger to an individual the Provider may disclose your PHI to that individual and a law enforcement agency.
As Authorized by the Department of Mental Health. The Provider may disclose your PHI to:
- persons and agencies needing information to locate missing persons or to a law enforcement agency in connection with criminal investigations, provided that such information will be limited to identifying data;
- appropriate persons and entities when necessary to prevent imminent serious harm to you or another person; and
- a district attorney in connection with and necessary to conduct a criminal investigation of patient abuse.
Director of Community Services. The Provider may disclose your PHI to a director of community services or his or her designee in order to provide oversight of your care.
Public Health Activities
Public Health Activities. The Provider may disclose your PHI to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities.For example, the Provider may share your PHI with government officials that are responsible for controlling disease, injury or disability. The Provider may also disclose your PHI to a person who may have been exposed to a communicable disease or be at risk for contracting or spreading the disease if the law permits it to do so.
Reports to Employers Regarding Work Related Illnesses or Injuries. Excluding mental health services patients, the Provider may disclose relevant PHI to your employer if the Provider provides health care services to you at the request of your employer related to medical surveillance of the workplace or to evaluate whether you have a work related illness or injury and the employer is required by law (such as Workers Compensation rules) to obtain such information.
Reports to School Districts. The Provider may disclose PHI for a psychiatric patient under the age of 21 years who has been discharged from an inpatient psychiatric unit to the patient's school district in order for the school to continue to provide or arrange for appropriate services to the patient.
Victims of Abuse, Neglect or Domestic Violence. The Provider may release your PHI to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, the Provider may report your information to government officials if the Provider reasonably believes that you have been a victim of abuse, neglect or domestic violence. The Provider will make every effort to obtain your permission before releasing this information, but in some cases the Provider may be required or authorized to act without your permission.
Health Oversight Activities. The Provider may release your PHI to government agencies authorized to conduct audits, investigations, and inspections of the facility. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
Product Monitoring, Repair and Recall. The Provider may disclose your PHI to a person or company that is required by the Food and Drug Administration to: (1) report or track product defects or problems; (2) repair, replace, or recall defective or dangerous products; or (3) monitor the performance of a product after it has been approved for use by the general public.
Judicial and Administrative Proceedings. Excluding certain conditions, the Provider may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.
Law Enforcement. Excluding certain conditions, the Provider may disclose your PHI to law enforcement officials for the following reasons:
- To comply with a court order, grand jury subpoena or administrative subpoena that is legally enforceable;
- To report certain types of wounds or physical injuries if required to do so by law;
- To assist law enforcement officers with identifying or locating a suspect, fugitive, witness, or missing person, provided that only limited PHI will be disclosed;
- You are the victim of a crime and: (1) the Provider has been unable to obtain your consent because of an emergency or your incapacity; (2) law enforcement officials represent that they need this information immediately to carry out their law enforcement duties; and (3) in the Provider's professional judgment disclosure to these officers is in your best interest;
- In the event of your death, if the Provider suspects that your death resulted from criminal conduct;
- It is necessary to report a crime that occurred on our property; or
- It is necessary to report a crime discovered by the Provider when providing offsite emergency medical care.
To Avert a Serious Threat to Health or Safety. The Provider may use your PHI or share it with others as necessary to prevent a serious threat to your health or safety, or the health or safety of another person or the public. The Provider may also disclose your PHI to law enforcement officers if you tell the Provider that you participated in a violent crime that may have caused serious physical harm to another person (unless you admitted that fact while in counseling), or if the Provider determines that you escaped from lawful custody (such as a prison or mental health institution).
National Security and Intelligence Activities or Protective Services. Excluding certain conditions, the Provider may disclose your PHI to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or other important officials.
Military and Veterans. Excluding certain conditions, if you are in the Armed Forces, the Provider may disclose PHI to appropriate military command authorities for activities the military deems necessary to carry out its military mission. The Provider may also release PHI about foreign military personnel to the appropriate foreign military authority.
Inmates and Correctional Institutions. If you are an inmate or a law enforcement officer detains you, the Provider may disclose your PHI to the prison officers or law enforcement officials if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
Worker & Compensation. The Provider may disclose your PHI to the extent legally required for workers' compensation or similar programs that provide benefits for work-related injuries.
Coroners, Medical Examiners and Funeral Directors. In the event of your death, the Provider may disclose your PHI to a coroner or medical examiner. This may be necessary, for example, to determine the cause of death. The Provider also may release this information to funeral directors as necessary to carry out their duties.
Organ and Tissue Donation. In the event of your death, the Provider may disclose your PHI to organizations that procure or store organs, eyes or other tissues so that these organizations may investigate whether you are a candidate for organ or tissue donation under applicable laws.
Research. In most cases, The Provider will ask for your written authorization before using your PHI or sharing it with others in order to conduct research. However, under some circumstances, the Provider may use and disclose your PHI without your authorization if the Provider obtains approval through a special process to ensure, among other things, that research without your authorization poses minimal risk to your privacy and could not reasonably be performed without waiving your consent. Under no circumstances, however, would the Provider allow researchers to use your PHI publicly. The Provider also may release your PHI without your authorization to people who are preparing a future research project, so long as any information identifying you does not leave the facility. In the event of your death, the Provider may share your PHI with people who are conducting research using the information of deceased persons, as long as they agree not to remove from the facility any information that identifies you.
6. Completely De-Identified or Partially De-Identified Information
The Provider may use and disclose your PHI if the Provider has removed any information that has the potential to identify you so that the health information is "completely de-identified." The Provider also may use and disclose "partially deidentified" PHI about you if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state law. Partially de-identified PHI will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mail address, website address or license number).
USE AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION
1. Use or Disclosure with Your Authorization. For any purposes other than the ones described in this Notice the Provider may only use or disclose PHI when you give the Provider your authorization on the Provider's authorization form. For instance, you will need to execute an authorization form before the Provider can send your PHI to your life insurance company or to the attorney representing the other party in litigation in which you are involved.
2. Special Authorization. Confidential HIV-related information (for example, information regarding whether you have ever been the subject of an HIV test, have HIV infection, HIV-related illness or AIDS, or any information which could indicate that you have ever been potentially exposed to HIV) will not be used or disclosed to any person without your specific written authorization, except to certain other persons who need to know such information in connection with your medical care, and, in certain limited circumstances, to public health or other government officials (as required by law), to persons specified in a court order, to insurers as necessary for payment for your care or treatment, or to public authorities in order to contact persons with whom you have had sexual contact or have shared needles or syringes (in accordance with a specified process set forth in New York State law). Federal regulation requires special authorization with respect to the disclosure of substance abuse treatment records.
Marketing Communications. The Provider must obtain your written authorization prior to using your PHI to engage in marketing activities. The Provider will not disclose your PHI to a third party for marketing purposes without your specific authorization to do so. The Provider can, however, provide you with marketing materials in a face-to-face encounter, without obtaining your authorization. The Provider may also give you a promotional gift of nominal value. In addition, the Provider may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers or care settings. Further, the Provider may use or disclose PHI to identify health-related services and products that may be beneficial to your health and then contact you about the services and products, or the Provider may describe to you the products, services or staff of the Provider.
YOUR RIGHTS TO ACCESS AND CONTROL YOUR PHI
Right to Inspect and Receive Copies of Records
You, or your legally authorized representative, have the right to inspect and obtain a copy of any Provider records including those kept in written and/or electronic format, that are used to make decisions about your care and treatment, and any billing records, for as long as the Provider maintains this information. To inspect or obtain a copy of any of these records, you must submit a request in writing to the Health Information Management Correspondence Unit. If you request a copy of the information, the Provider may charge a fee for the costs of copying, mailing or other supplies the Provider uses to fulfill your request. The fee, at the time of the publication of this Notice, is $0.75 per page and must generally be paid before or at the time the Provider gives the copies to you. A waiver of the fee may be given in certain circumstances, upon the approval of the Director of Health Information Management.
The Provider will respond to your request for inspection of records within 10 days. The Provider ordinarily will respond to requests for copies within 30 days if the information is located in the Facility, and within 60 days if it is located off-site. If the Provider needs additional time to respond to a request for copies, the Provider will notify you in writing within the time frame above to explain the reason for and expected duration of the delay.
If you have been admitted to and reside in one of the System's nursing homes, the nursing home will respond to your request for inspection of records within 24 hours. The nursing home will respond to requests for copies within 2 business days. If you no longer reside in the nursing home, the nursing home will respond to your request for inspection of records within 10 days. The nursing home ordinarily will respond to requests for copies within 30 days if the information is located in the Facility, and within 60 days if it is located off-site. If the nursing home needs additional time to respond to a request for copies, the nursing home will notify you in writing within the time frame above to explain the reason for and expected duration of the delay.
Under certain very limited circumstances, the Provider may deny your request to inspect or obtain a copy of your record. If so, the Provider may provide you with a summary of the information instead; or if the Provider has reason to deny only part of your request the Provider will provide you access or copies of the other parts of the record. The Provider will provide a written notice that explains its reasons for providing only a summary or limited portions of the records requested, and a description of the process to have this determination reviewed. The notice will also include information on how to file a complaint about these issues with the Provider or with the Secretary of the U.S. Department of Health and Human Services.
Note. A parent or legal guardian of a minor may be denied access to certain portions of the minor's medical record (for example, records relating to mental health services, venereal disease, abortion, or care and treatment to which the minor is permitted to consent himself, such as HIV testing, sexually transmitted disease diagnosis and treatment, chemical dependence treatment, prenatal care, contraception and/or family planning services).
Right to Amend Records
If you believe that the health information the Provider has about you is incorrect or incomplete, you may ask the Provider to amend the information. You have the right to request an amendment for as long as the information is kept in Provider records. To request an amendment, please complete a Request for an Amendment to Health Information form.Ordinarily the Provider will respond to your request within 60 days. If the Provider needs additional time to respond, the Provider will notify you in writing within 60 days to explain the reason for the delay and when you can expect to have a final answer to your request.
If the Provider denies part of or your entire request, the Provider will provide a written notice that explains the reasons for doing so. You will have the right to have certain information related to your requested amendment included in your records. For example, if you disagree with the Provider's decision, you will have an opportunity to submit a statement explaining your disagreement, which the Provider will include in your records. The written denial notice also will include information on how to file a complaint with the Provider or with the Secretary of the Department of Health and Human Services.
Right to an Accounting of Disclosures
You have a right to request an "Accounting of Disclosures" made within 6 years prior to your request. If your records are maintained in an Electronic Medical Record, you have the right to an Accounting of Disclosures, including routine disclosures, made within 3 years prior to your request. For disclosures made by a Business Associate, the Provider may provide the Accounting of Disclosures itself or provide contact information which will allow you to contact the Business Associate directly. An Accounting of Disclosures is a list with information about certain disclosures of your PHI that the Provider has made to others. An accounting of disclosures will not include:
- Disclosures the Provider made to you or to your personal representative;
- Disclosures made pursuant to your written authorization; • Disclosures made from the Patient Directory;
- Disclosures made to your friends and family involved in your care or payment for your care;
- Disclosures that were incidental to permissible uses and disclosures of your PHI;
- Disclosures that do not directly identify you;
- Disclosures made to federal officials for national security and intelligence activities; or
- Disclosures about inmates to correctional institutions or law enforcement officers.
The accounting of disclosures may be obtained by writing to the Privacy Officer. Your request must state a time period for the requested disclosures. The Provider may charge you for the cost of providing more than one accounting of disclosures in any 12-month period. The Provider will notify you of any such charge prior to fulfilling your request.
Ordinarily the Provider will respond to your request for an accounting within 60 days. If the Provider needs additional time to prepare the accounting you have requested, the Provider will notify you in writing about the reason for and expected duration of the delay. If required to do so by a government agency the Provider will withhold certain disclosures from the accounting.
Right to Request Additional Privacy Protections
You have the right to request that the Provider restrict its use and disclosure of your PHI for purposes related to treatment, payment or health care operations. You may also request that the Provider limit how it discloses information about you to family or friends involved in your care or payment for your care. For example, you may request that the Provider withhold information about services you received. Requests for restrictions must be made in writing to the Privacy Officer. Your request should include (1) the information you would like to limit; (2) how you would like to limit the use of the information; and (3) to whom you would like the limits to apply.
The Provider is not required to agree to your request for a restriction, unless the request for restriction is for payment purposes and you have paid for the provided services out of pocket in full, unless the disclosure is otherwise required by law. However, if the Provider does agree, the Provider will be bound by its agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once the Provider has agreed to a restriction, you have the right to revoke the restriction at any time. Under some circumstances, the Provider will also have the right to revoke the restriction as long as the Provider notifies you before doing so; in other cases, the Provider will need your permission before the Provider can revoke the restriction.
Right to Request Confidential Communications
You have the right to request that you receive PHI by alternative means of communication or at alternative locations. For example, you may ask that the Provider contact you at work instead of at home. Such requests must be made in writing to the Privacy Officer. The Provider will not ask you the reason for your request, and the Provider will try to accommodate all reasonable requests.
Riqht to Receive Notice of a Breach
You have a right to be notified by the Provider by first class mail or by e-mail (if you have indicated a preference to receive information by e-mail), of any breaches of Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days following the discovery of the breach. "Unsecured Protected Health Information" is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. Department of Health and Human Services to render the Protected Health Information unusable, unreadable, and undecipherable to unauthorized users. This notice is required to include the following information;
- A brief description of the breach, including the date of the breach and the date of its discovery, if known;
- A description of the type of Unsecured Protected Health Information involved in the breach; Steps you should take to protect yourself from potential harm resulting from the breach;
- A brief description of actions we are taking to investigate the breach, mitigate losses, and protect against further
- breaches; and
- Contact information, including a toll-free telephone number, e-mail address, Web site or postal address to permit you
to ask questions or obtain additional information. In the event the breach involves 10 or more patients whose contact information is out of date, we will post a notice of the breach on the home page of our Web site or prominent media outlets. If the breach involves more than 500 patients in the state or jurisdiction, we will send notices to prominent media outlets. If the breach involves more than 500 patients we are required to immediately notify the Secretary of the U.S. Department of Health and Human Services. We are also required to submit an annual report to the Secretary of the U.S. Department of Health and Human Services of a breach that involves less than 500 patients during the year and will maintain a written log of breaches involving less than 500 patients.
7. How to File a Privacy Complaint
You may report a privacy complaint to the Corporate Compliance Privacy Officer in writing to the following address. Complaints to the Corporate Privacy Officer must be in writing and submitted to:
Corporate Compliance Privacy Officer
200 Community Drive
Great Neck, New York 11021
You will not be retaliated against or denied any health services if you file a complaint. If you are not satisfied with the Provider's response to your privacy complaint or otherwise wish to file a privacy complaint with the Secretary U.S. Department of Health and Human Services the complaint must:
- Be in writing, either on paper or electronically;
- Name the person or organization that is the subject of the complaint, and describe the acts or omissions that you believe violated your privacy; and
- Be filed with 180 days of when you knew or should have known that the act or omission you are complaining of occurred. OCR may extend the 180-day period if you can show "good cause"
- Be sent to:
Region II: New York
Michael Carter, Regional Manager
Office of Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312
New York, NY 10278